Re: LDP client authentication fails

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Actually, AD does support client certificate authentication for binding and
this can be done with ldp. It isn't well documented though. As long as the
client certificate is available and SSL is being negotiated, the client
certificate can be used. In general, the client certificate should be the
"my" store for the current user and must be a certificate that is trusted by
the server.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:%23hO8tlMiHHA.3512@xxxxxxxxxxxxxxxxxxxxxxx
Inline

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Romil Shah" <RomilShah@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8272DF53-420B-4B42-939E-1141BAC93344@xxxxxxxxxxxxxxxx
Hi Paul,
You are right that we need to copy the Root CA to Trusted Root
Certificate
Authority store. I did this , but as per the main query I had ,does
Active
directory client ldp.exe support client authentication?''

I am not positive but I would say that ldp doesn not support client
authentication.


Any idea as to where to store the personal certificate of ldp.exe client
.
I dont find any option in the ldp.exe tool.
So now the question comes as to whether ldp.exe AD client supports client
authentication . If not then server can never authenticate the client.

To store the client cert just double click on the cert and import it. Or
open up IE, Select Tools, Internet Options, Content tab and click on
certificatates and import from there. This will add the work station cert
for you, but I don't see this working with LDP, but I could be wrong.




As LDAP server is not receiving any certificate from client side for
authentication so I think ldp.exe is not supporting client authentication
.
But not sure if I am right on this .. Any idea ?

You could use ipsec and have your machine authenticate to the server.



Thanks.
Romil Shah




"Paul Bergson [MVP-DS]" wrote:

When you say you have copied the personal certificate of the server into
the
Trusted Root Certificates Authority, I am unclear as to what you mean.
What
you should have done is copy the Root CA of the server certificate into
the
clients Trusted Root Certificate Authority Store. Does the client also
have
a cert and have you provided the server with the clients Root CA and
placed
that in its store?

The two need to trust one another's certificates before communications
will
occur.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Romil Shah" <Romil Shah@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E46868D3-9D30-48F0-90F3-DA9B716E0F2C@xxxxxxxxxxxxxxxx
Hello,

I am using LDP.exe as a client to communicate with LDAP server.
LDAP server is configured to use SSL with client server authentication
.

I have copied the personal certificate of server into the Trusted Root
Certificate Authoroties.

I found that ldp.exe fails to connect to server. SSL handshaking
fails .

The queries that I have are as follows:
1) Does LDP.exe authenticates to server ( client authentication is
supported
? )
I am using Windows 2003 with SP1 installed.
I found that in Windows 2000 SP4 a bug on similar line is fixed .
(811288 )
Is this bug fixed in windows 2003 with SP1 installed ?

2) If client authentication is supported then which personal
certificate
does ldp.exe send to server for authentication and where is the
personal
certificate stored on windows ?

Looking forward for your suggestions .

Thanks,
Romil Shah










.

Relevant Pages

  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: LDP client authentication fails
    ... as the client certificate is available and SSL is being negotiated, ... client certificate can be used. ... authentication. ... If not then server can never authenticate the client. ...
    (microsoft.public.windows.server.active_directory)
  • Re: LDP client authentication fails
    ... You are right that we need to copy the Root CA to Trusted Root Certificate ... directory client ldp.exe support client authentication?'' ... authentication. ... If not then server can never authenticate the client. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSPI Kerberos for delegation
    ... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ...
    (comp.protocols.kerberos)
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
    (microsoft.public.internet.radius)